Digital Scotland Service Standard
The service standard aims to make sure that services in Scotland are continually improving and that users are always the focus.
8. Create a secure service which protects users’ privacy
Evaluate what data the service will be collecting storing and providing. Understand how government classifies that data, the organisation’s legal responsibilities, and security risks associated with the service.
Why it’s important
Government services often hold personal and sensitive information about users. Government has a legal duty to protect this information. Failing to do so would undermine public trust in government services.
How you do it
- Approach risk in a proportionate way
Identify security and privacy threats to the service and have a robust, proportionate approach to managing fraud and security risks
- Work with business and information risk teams
Take advice from senior information risk owners (SIROs), information asset owners (IAOs) and data guardians to make sure the service meets security requirements and regulations without putting delivery at risk
- Make security sustainable
Plan and budget to manage security during the life of the service, for example by responding to new threats, putting controls in place and applying security patches to software
- Protect users’ personal information
Collect and process users’ personal information in a way that’s secure and respects their privacy
- Test your systems
Carry out appropriate vulnerability and penetration testing
Links to detailed guidance:
- Guidance on designing a secure service from the National Cyber Security Centre (NCSC)
Guidance on approaching risk in appropriate way from the National Cyber Security Centre
Information for organisations on protecting users' personal information through the Data Protection Impact Assessment (DPIA) process
Within Scottish Government, there is local guidance on DPIA provided on the intranet. Other organisations should check for equivalent local guidance
Guidance from NCSC on secure development practices
Guidance from NCSC on penetration testing and vulnerability management.
There is a problem
Thanks for your feedback